Re:Re: [Qemu-devel] How to make shadow memory for a process? and how to trace the data propation from the instruction level in QEMU?

["F. Zhang" <qemustudy@163.com>]

[-- Attachment #1: Type: text/plain, Size: 2537 bytes --]

>Please consider it a casual user trying to share simple ideas with you....

 

I am very pleased to share ideas with you. But my English is too poor, er…, I’ll try my best to make it clear.J

 

> 

>Just before it goes too far, have you check quite similar project

>which is Argos (http://www.few.vu.nl/argos/)?

 

Yes, I have read that paper, it’s wonderful!

Besides the Argos, the bitblaze group, led by Dawn Song in Berkeley, has achieved great success in the taint analysis. The website about their dynamic analysis work (called TEMU) can be found at:http://bitblaze.cs.berkeley.edu/temu.html

And TEMU is now open-source.

 

> 

>Are you going to say you wanna mimic the way shadow page table works?

 

Yes. For each process’s memory space A, I wanna make a shadow memory B. The shadow memory is used to store the tag of data. In other words, ifaddr in memory A is tainted, then the corresponding byte in B should be marked to indicate thataddr in A is tainted.

The question is: I do not know how to make the shadow memory for a process in QEMU.

 

> 

> 

>How about using unused one of unused PTE flags for such tag?

Sorry, what is the PTE flag?

In fact, the tag is stored in the shadow memory of the process.

Let us consider the following instruction:

mov eax, [esi]

If data in [esi] is tainted, then eax is tained, too.

In this instruction, we should first consider whether [esi] is tainted or not. This is done by checking the tag in the shadow memory. If [esi] is tainted, then the tag for eax in the shadow memory is set, too.

The question is: how to implement the upper functions? maybe I should modify the instruction-translation functions to implement the trace of tainted data propagation?

 

> 

>>Now that's the real "bomb"... I was thinking about creating pseudo

>device...oh wait, maybe using QMP (Qemu monitoring protocol)? Maybe

>you can use the trace framework introduced in Qemu lately?

> 

>This is assuming, you wanna "make Qemu cooperate with host OS"...

 

Yes, I wanna make QEMU cooperate with the GUEST OS. In fact, malware under analysis is run within the GUEST OS. The guest os collects “higher” semantic from the OS level, and the QEMU collects “lower” semantic from the instruction level. Combination of both semantics is necessary in the analysis process.

The question is: how to communicate between the QEMU and the guest OS, so that they can cooperate with each other?

 

Maybe I should read code of TEMU. Er…, That’s a huge work for me.

 

Best regards

 

F. Zhang

[-- Attachment #2: Type: text/html, Size: 22553 bytes --]